Using SCIM with ThingWorx
System for Cross-Domain Identity Management (SCIM) is a standardized, automated method to keep user identities synchronized across disparate data stores and systems.
By default, SCIM is not started and is disabled upon platform start-up. Its enable and started states are controlled by the platform-settings.json configuration.
SCIM Endpoints for user/group management require credentials with Administrator rights. SCIM Endpoints are only accessible when configured to be enabled and when SSO is enabled.
For more information, see
ThingWorx supports the following:
SCIM 1.1 – when PingFederate is the CAS
SCIM 2.0 – when Azure AD is the CAS and the IdP
Outbound provisioning
Create, update, and delete users or groups
Configure defaults for SCIM-provisioned users and groups
For example, consider the following scenario:
The “Sally” SCIM object can contain any number of useful attributes (user name, email, phone number, etc.)
If something changes (for example, Sally is promoted), SCIM can automatically update her ThingWorx user attributes accordingly. When Sally leaves the company, her ThingWorx user account is deleted or disabled when she is removed from the directory server.
Some user and group attributes may need additional configuration. This can be done when managing outbound provisioning from PingFederate. For more information, see the Ping Identity Knowledge Center: Specify custom SCIM attributes.
The metadata mapping between ThingWorx User Extension properties and SCIM Schema 1.1 is fixed. For more information, see Create a Channel to the Data Store.
When SSO is enabled, ThingWorx requires OAuth tokens when provisioning through SCIM.
See the Ping Identity Knowledge Center for more information: Enable outbound provisioning
When Azure AD is the CAS and the IdP, the OAuth token type is JWT.
Was this helpful?